CVE-2024-47754 - How a Mediatek Video Codec Bug Could Crash Your Linux Kernel & What’s Been Fixed

In June 2024, security researchers patched a new vulnerability in the Linux kernel affecting Mediatek’s video decoder driver. The flaw (CVE-2024-47754) happened in the handling of H264 video streams and could cause your kernel to crash unexpectedly. This post will break down what went wrong, how it could be abused, show some example code, and point you to official references.

The Vulnerability: What is CVE-2024-47754?

CVE-2024-47754 centers around the Linux kernel’s media subsystem, particularly the Mediatek video decoding driver (vcodec), used mostly in ARM SoCs on phones, TV boxes, and IoT devices. Specifically, it involves improper handling in the vdec_h264_req_multi_if.c file. This code helps decode H264 video streams.

Here’s what happened:
A static analysis tool called Smatch found that in some situations, the frame buffer pointer (fb) could be NULL. The old code assumed fb was always valid and used it — but if it’s NULL, the kernel crashes.

Here’s a simplified version of the vulnerable code

// Buggy snippet inside vdec_h264_req_multi_if.c 
// Older/buggy code
if (fb->some_field) {   // Oops: fb might be NULL!
    // ...use fb
}

If fb is NULL, the reference to fb->some_field causes a kernel NULL pointer dereference — and then, crash.

How does this get triggered? If userspace provides specific sequences or malformed data, it can trick the driver into this bad code path.

Security Impact

The flaw is not a “privilege escalation” or code execution bug. Instead, it’s a Denial of Service (DoS) issue:

- Local attackers (or buggy software) could crash the entire kernel by feeding certain crafted video data to the decoder via V4L2 ioctl calls.
- Anyone with media decoding capabilities (such as a video player or possibly a manipulated browser) could try to exploit the bug.

On devices where kernel stability is critical — like Android tablets or smart TVs — this can be abused to trigger reboots or lockups.

The Patch: How Was CVE-2024-47754 Fixed?

The fix is both simple and solid — always check if fb is non-NULL before using it.

The Secure Code

// vdec_h264_req_multi_if.c (fixed)
if (fb && fb->some_field) {
    // Safe to use fb now
    // ...do video processing
}

By adding fb && in the condition, the kernel checks that the pointer is valid before dereferencing it.

The official Linux patch describes it as

> “Fix a smatch static checker warning on vdec_h264_req_multi_if.c.
> Add a check for NULL fb, which leads to a kernel crash when fb is NULL.”

Reference: The Official Patch

You can read the fix here:
- Linux kernel commit

Proof-of-Concept (PoC) — How Could This Crash Be Triggered?

Disclaimer: Don't test this on production devices.

Suppose a user writes a tool that makes a custom V4L2 call to the H264 decoder, purposely passing a NULL or corrupted frame buffer pointer. (This could happen by fuzzing or writing a misbehaving app.)

Pseudocode example

#include <linux/videodev2.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>

int main(void) {
    int fd = open("/dev/video", O_RDWR);
    if (fd < ) return 1;

    struct v4l2_buffer buf;
    memset(&buf, , sizeof(buf));
    buf.memory = V4L2_MEMORY_MMAP;
    // DELIBERATELY skip mapping or initializing .m.offset/length!
    // Triggering the NULL frame buffer in the driver

    ioctl(fd, VIDIOC_QBUF, &buf); // This could crash the kernel!
    close(fd);
    return ;
}

This simple app sends an incomplete buffer to the video decoder, simulating a scenario where fb may be NULL.

How To Protect Yourself

- Update your kernel: If your device uses Mediatek SoCs and video decoding, update to a kernel *after* June 2024.

More References and Resources

- Linux Kernel CVE-2024-47754 Entry
- Mediatek vcodec GitHub
- Smatch Static Analyzer
- Linux Media Mailing List Patch

Conclusion

CVE-2024-47754 is a classic example of why you should never assume a pointer is valid in kernel code. A simple mistake can lead to serious problems on millions of devices. Thankfully, the fix was quick and straightforward. Stay updated, and keep your video drivers bug-free!

Timeline

Published on: 10/21/2024 13:15:05 UTC
Last modified on: 10/22/2024 16:10:21 UTC